A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky.
“These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers,” Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin said.
The installers have been trojanized since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised as part of the incident. The supply chain attack is active as of writing. AVB Disc Soft, the developer of the software, has been notified of the breach.
Specifically, three different components of DAEMON Tools have been tampered with –
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
Any time one of these binaries is launched, which typically happens during system startup, an implant is activated on the compromised host. It’s designed to send an HTTP GET request to an external server (“env-check.daemontools[.]cc”) – a domain registered on March 27, 2026 – in order to receive a shell command that’s run using the “cmd.exe” process.
The shell command, for its part, is used to download and run a series of executable payloads. These include –
- envchk.exe, a .NET executable to collect extensive system information.
- cdg.exe and cdg.tmp, the former of which is a shellcode loader responsible for decrypting the contents of the second file and launching a minimalist backdoor that contacts a remote server to download files, run shell commands, and execute shellcode payloads in memory.
The Russian cybersecurity company said it observed several thousand infection attempts involving DAEMON Tools in its telemetry, impacting individuals and organizations in more than 100 countries, such as Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor has been delivered only to a dozen hosts, indicating a targeted approach.
The systems that received the follow-on malware have been flagged as belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. What’s more, one of the payloads delivered via the backdoor is a remote access trojan dubbed QUIC RAT. The use of the C++ implant has been recorded against a lone victim: an educational institution located in Russia.
“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner,” Kaspersky said. “However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.”
The malware supports a variety of command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, and comes equipped with capabilities to inject payloads into legitimate “notepad.exe” and “conhost.exe” processes.
The activity has not been attributed to any known threat actor or group. But evidence points to it being the work of a Chinese-speaking adversary based on an analysis of the artifacts observed.
The DAEMON Tools compromise is the latest in a growing list of software supply chain incidents in the first half of 2026, and follows similar high-profile breaches involving eScan in January, Notepad++ in February, and CPUID in April.
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” Kucherin, senior security researcher at Kaspersky GReAT, said in a statement shared with The Hacker News.
“Because of that, the DAEMON Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities. Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having Daemon Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks.”
